Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Access Governance documentation #167

Merged
merged 3 commits into from
Feb 26, 2024
Merged

Access Governance documentation #167

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
40268a2
updated default values
rrywhen Feb 22, 2024
77b30ae
minor changes
rrywhen Feb 23, 2024
7352552
minor changes
rrywhen Feb 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 34 additions & 42 deletions Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ To learn more, visit: https://docs.oracle.com/en/cloud/paas/access-governance/ag

## Deployment Overview

The Terraform code in this folder deploys Oracle Access Governance. It is accomplished by deploying an Oracle Access Governance Instance, creating an Oracle Access Governance User and adding a Cloudgateway connected system. This workload supports only Identity Domain Tenancy.
The Terraform code in this folder deploys Oracle Access Governance. It is accomplished by deploying an Oracle Access Governance Instance, creating an Oracle Access Governance User and adding a Cloud gateway connected system. This workload supports only Identity Domain Tenancy.

## Prerequisites

Expand All @@ -24,7 +24,7 @@ To deploy the Oracle Enterprise Landing Zone Workload Expansion from the Terrafo

## User

The Oracle Enterprise Landing Zone should be deployed by a user who is a member of the Administrators group for the tenancy. This user need to have an API key entry defined as decribed [here](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm). Once the user and API Key are defined your oci-cli config should resemble:
The Oracle Enterprise Landing Zone should be deployed by a user who is a member of the Administrators group for the tenancy. This user needs to have an API key entry defined as described [here](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm). Once the user and API Key are defined your oci-cli config should resemble below:

```text
[DEFAULT]
Expand All @@ -37,56 +37,48 @@ key_file=<path to your private keyfile> #your specific path


## Variables
| Variable Name | Description | Required | Default Value |
|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------------------------------------------------------|
| **user_ocid** | OCID of the Administrator. | Yes | None |
| **fingerprint** | Fingerprint of the Administrator. | Yes | None |
| **tenancy_ocid** | OCID of the Administrator's Identity Domain Tenancy. | Yes | None |
| **region** | Region of the Administrator. | Yes | None |
| **private_key_path** | Private Key Path of Administrator. | Yes | None |
| **admin_domain_name** | Administrator's Identity Domain Name. | Yes | Default |
| **admin_domain_compartment_ocid** | Compartment of Identity Domain of the Administrator. | Yes | None |
| **service_instance_compartment_ocid** | Compartment OCID for Access Governance Instance. | Yes | <Security compartment created by Landing zone baseline.> |
| **service_instance_description** | Access Governance Instance Description. | Yes | Oracle Access Governance Servce Instance. |
| **service_instance_display_name** | Access Governance Instance Display Name. | Yes | access-governance-instance |
| **ag_license_type** | Access Governance Instance License Type. Supported license types are "Access Governance for Oracle Workloads", "Access Governance for Oracle Cloud Infrastructure" |Yes | None |
| **use_existing_agcs_user** | Set this value to either use existing Access Governance user or create new one. | No | false |
| **agcs_user_name** | New Access Governance User's name. | Yes | None |
| **agcs_user_email** | Email address for the user. | Yes | None |
| **agcs_user_group_display_name** | Group to create for Access Governance User. | Yes | None |
| **agcs_user_ocid_oci_system** | Access Governance User's OCID. | Yes | None |
| **agcs_user_private_key_path** | Private Key for Access Governance User. | Yes | None |
| **agcs_user_fingerprint_oci_system** | Access Governance User's Fingerprint. | Yes | None |
| **agcs_user_region_oci_system** | Region of the Access Governance User. | Yes | None |
| **agcs_user_tenancy_ocid_oci_system** | Access Governance User's Tenancy OCID. | Yes | None |
| **oci_system_description** | OCI Connected System Description. | Yes | OCI Connected System. |
| **oci_system_name** | OCI Connected System Name. | Yes | Local-OCI-System |
| Variable Name | Description | Required | Default Value |
|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|--------------------------------------------------------------------|
| **user_ocid** | OCID of the Administrator. | Yes | None |
| **fingerprint** | Fingerprint of the Administrator. | Yes | None |
| **tenancy_ocid** | OCID of the Administrator's Identity Domain Tenancy. | Yes | None |
| **region** | Region of the Administrator. | Yes | None |
| **private_key_path** | Private Key Path of Administrator. | Yes | None |
| **admin_domain_name** | Administrator's Identity Domain Name. | Yes | Default |
| **admin_domain_compartment_ocid** | Compartment of Identity Domain of the Administrator. | Yes | None |
| **service_instance_compartment_ocid** | Compartment OCID for Access Governance Instance. | Yes | OCID of the Security compartment created by baseline Landing Zone. |
| **service_instance_description** | Access Governance Instance Description. | Yes | Oracle Access Governance Service Instance. |
| **service_instance_display_name** | Unique Access Governance Instance Display Name. | Yes | access-governance-instance |
| **ag_license_type** | Access Governance Instance License Type. Supported license types are "Access Governance for Oracle Workloads", "Access Governance for Oracle Cloud Infrastructure" | Yes | None |
| **use_existing_agcs_user** | Set this value to either use existing Access Governance user or create new one. | No | false |
| **agcs_user_name** | New Access Governance User's name. | Yes | prod_agcs_user |
| **agcs_user_email** | Email address for the user. | Yes | None |
| **agcs_user_group_display_name** | Group to create for Access Governance User. | Yes | prod_agcs_group |
| **agcs_user_ocid_oci_system** | Access Governance User's OCID. | Yes | None |
| **agcs_user_private_key_path** | Private Key for Access Governance User. | Yes | None |
| **agcs_user_fingerprint_oci_system** | Access Governance User's Fingerprint. | Yes | None |
| **agcs_user_region_oci_system** | Region of the Access Governance User. | Yes | None |
| **agcs_user_tenancy_ocid_oci_system** | Access Governance User's Tenancy OCID. | Yes | None |
| **oci_system_description** | OCI Connected System Description. | Yes | OCI Connected System. |
| **oci_system_name** | OCI Connected System Name. | Yes | Local-OCI-System |


## How to Execute

<blockquote> Currently only <b>production</b> deployment is supported via stack deployment, to deploy in <b>non-production</b> environment, run the Access Governance Module as standalone deployment. Please change the working directory to <i>oci-landing-zones/modules/access-governance</i> and enable the provider lines and disable remaining lines, fill the terraform.tfvars and follow terraform CLI commands</blockquote>

### Via Resource Manager
Use the Deploy to Oracle Cloud button which will take you directly to OCI Resource Manager if you are logged in.
<blockquote> Only new AGCS User scenario is supported via Resource Manager Deployment</blockquote>

1. Under **Working directory** select the directory *templates/enterprise-landing-zone*
2. Click Next.
3. Enter the values for required variables.
4. Click Next.
5. Click Next.
6. Click Apply.
Deployment via Resource Manager is currently not supported.

### Via Terraform CLI (Two Deployment Scenarios)
#### Deployment Scenario 1: use_existing_agcs_user = false:
1. Enter required variables in terraform.tfvars, for examples refer examples.tfvars file
1. Enter required variables in terraform.tfvars, for examples refer to templates/elz-access-governance/examples/new_agcs_user.tfvarexample
2. terraform init.
3. terraform plan.
4. terraform apply.

##### Oracle Access Governance Deployment: Access Governance Service Instance:
An Access Governance Service instance will be deployed in security compartment.
An Access Governance Service instance will be deployed in the security compartment.

##### Oracle Access Governance Deployment: AGCS Group:
A group will be created called AGCS Group, which is meant to have AGCS user and policies related to Access Governance functionalities.
Expand All @@ -97,12 +89,12 @@ AGCS User which will be created in Default domain as the user needs visibility i
##### Oracle Access Governance Deployment: AGCS User Group Policy statements:
1. `ALLOW GROUP <domain>/<group> to inspect all-resources IN TENANCY`
2. `ALLOW GROUP <domain>/<group> to manage policies IN TENANCY where any {request.permission='POLICY_UPDATE' ,request.permission='POLICY_READ', request.permission='POLICY_DELETE',target.policy.name != 'Tenant Admin Policy'}`
3. `Allow GROUP <domain>/<group> to read audit-events IN TENANCY`
4. `Allow GROUP <domain>/<group> to manage domains IN TENANCY`
3. `ALLOW GROUP <domain>/<group> to read audit-events IN TENANCY`
4. `ALLOW GROUP <domain>/<group> to manage domains IN TENANCY`


#### Deployment Scenario 2: use_existing_agcs_user = true:
1. Enter required variables in terraform.tfvars, for examples refer templates/elz-access-governance/examples/new_agcs_user.tfvarexample
1. Enter required variables in terraform.tfvars, for examples refer to templates/elz-access-governance/examples/existing_agcs_user.tfvarexample
2. terraform init.
3. terraform plan.
4. terraform apply.
Expand All @@ -121,7 +113,7 @@ AGCS User which will be created in Default domain as the user needs visibility i


##### Oracle Access Governance Deployment: Access Governance Service Instance:
An Access Governance Service instance will be deployed in security compartment.
An Access Governance Service instance will be deployed in the security compartment.

##### Oracle Access Governance Deployment: OCI system on Access Governance Instance:
Cloud gateway system will be added as connected system to the service instance.
Expand All @@ -134,4 +126,4 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.or
See [LICENSE](../../LICENSE) for more details.

## Known Issues
None.
None.
Loading